My University Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Main Page
  2. /
  3. Cyber Security and Digital Forensics (2021-2024)
  4. /
  5. Year 2
  6. /
  7. Ethical Hacking
  8. /
  9. Week 5 - Vulnerability Assessment, Research, and Reporting
Edit page

Week 5 - Vulnerability Assessment, Research, and Reporting

OSI Model

Application, Layer 7

  • Access Control
  • Authentication
  • Malware
  • Software Vulnerabilities

Presentation, Layer 6

  • Format
  • encoding
    • e.g. unicode vulnerabilities

Session, Layer 5

  • Cookies
  • authentication

Transport, Layer 4

  • Replay Attacks
  • TCP Attacks
  • SSL/TLS
  • encryption

Network, Layer 3

  • Routing protocols
  • VPN
  • IP Spoofing
  • Firewalls
  • MAC Spoofing
  • ARP

Physical, Layer 1

  • Physical security
  • Locks
  • Cables
  • Wireless
  • Biometrics

Locations of Assessments

Human

  • Human Errors
  • Insider threat
  • social engineering
  • indifference

Application

  • Functions
  • storage
  • memory management
  • input validation

Host

  • Access Control
  • memory
  • malware
  • backdoor
  • OS/Kernel

Network

  • Map the network
  • Services
  • Leaks
  • Intercept Traffic

Types of Penetration Testing

Black Box

  • Zero Knowledge
  • Testing as Attacker

Grey Box

  • Some Knowledge
  • Testing as User with access to some data

White Box

  • Full Knowledge
  • Testing as Developer

Stages of Engagement

  1. Asset Discovery
  2. Asset Prioritisation
  3. Vulnerability Scanning
  4. Result analysis & remediation
  5. Continuos Security

Pre-Engagement

  • Understand the scope
  • What are the objectives
  • Understanding priorities

Asset Discovery

  • White Box Testing
    • Access to the network/Site Management
    • Knowledge of resources
  • Passive Means
    • Google Dorking
    • Shodan
    • OSINT
    • Threat Intelligence
  • Active Means
    • Port Scans
    • Web Crawling
  • Social Engineering and Phishing

Asset Prioritisation

  • Sorting the risk and impact of resources
  • Sorting vulnerabilities by the level of weakness

Vulnerability Identification

  • How is the data stored?
    • Memory
    • Database
    • File
    • Cloud
    • Access Control
    • People
  • How is data processed?
    • Computer architecture
    • Memory
    • Applications
    • People
  • How is data Transmitted?
    • Encryption
    • Medium
    • Protocols
    • People

Manual Identification

  • Is User input trusted?
    • Find injection points
      • Web input
      • network packets
        • e.g. CVE-2019-3568
    • Fuzzing
    • Testing
    • Exploit
  • Common Pitfalls
    • Common Errors & Vulnerabilities
    • Default configurations
    • Exposed data and credentials
  • Source Code
    • Bugs
    • Reverse Engineer
  • Protocol Analysis
  • Fuzzing
  • Enumeration
    • Hostnames
    • Passwords
    • Directories
    • Services
  • Stress Testing

Vulnerability Scanning

  • Essentially Port and Directory Scans
  • Banner Grabbing
  • Identifying services
  • Checking for confidential files
  • Misconfigurations
  • Attempts subtle testing
  • Checks identified version of softeare and services against vulnerability databases
Types of Vulnerability Assessemnt Scans
  • Network-Based Scans
    • Identifies possible network security attacks and vulnerable systems on networks
  • Host-Based Scans
    • Finds vulnerabilities in workstations, servers, or other network hosts, and provides visibility into configuration settings and patch history
  • Wireless Scans
    • Identifies rogue access points and validate that a company’s network is securely configured
  • Application Scans
    • Detects known software vulnerabilities and mis-configurations in network or web apps
  • Database Scans
    • Identifies the weak points in a database

Scanners:

  • Nikto
  • Nmap
  • OpenVAS
  • Metasploit
  • OWASP ZAP Scanner
  • Nexpose
  • Nessus
  • Qualys
  • Tenable